Friday, December 23, 2011

The proposed revisions to the EU Data Protection
Directive with a regulation sometime next year is likely to result in multitude
of changes for privacy regulation in the EU and around the world and may make
the use of Binding Corporate Rules more attractive for midsize companies and
data processors. While 2011 was the year of Privacy by Design, 2012 may end up
being the year of the BCRs if this proposed regulation becomes law. (You may
find some examples of these rules at the end of this blog post.)

The revision to the EU Data
Protection Directive is likely to be a regulation instead of a directive, which may result in more uniform data
protection laws across the EU. Nevertheless, EU data protection law is based on
local employment and labor law to a certain extent. Therefore, there is bound
to be some variation in implementation and the differences in culture and
enforcement are likely to continue. While there will be many exciting and
controversial changes to the Directive, from enormous fines to right to
oblivion, BCRs have already taken center stage. (You may read more about the
proposed revisions to the EU Data Protection Directive titled “Regulation of
the European Parliament and of the Council on the protection of individuals
with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation)” here.)

The original BCR system was overly
bureaucratic and costly. When the BCR system first started, the applicant would
have to seek authorization from each Data Protection Authority In the EU.
Considering all of the language and cultural barriers to reviewing a set of
rules, this process was mired with reviews and re-reviews until every DPA’s
requirements were met. In fact, Peter Fleischer called BCRs data protection for the rich. Then
the system was more streamlined with 5-7 DPA reviews with a single DPA acting
as the lead. This shrank the time in obtaining from years to around 9 months.
However, the process is still expensive and cumbersome. That may not be the
case with the revisions to the Directive.

During her keynote address for the IAPP Europe Data
Protection Congress, European Commissioner Viviane Reding shared her plans to
make binding corporate rules even more effective with simplicity, consistent
enforcement, and innovation. She pointed to the bureaucratic nature of the BCR
approval stating:

I see this legal fragmentation as a
costly administrative burden. It wastes time and money. It is detrimental to
the credibility and efficiency of data protection authorities and data
protection tools.

I intend to propose a consistent and
streamlined approval process with a single point of contact for companies
amongst the data protection authorities. And, once the binding corporate rules
are approved by one data protection authority, I want them to be recognised by
all European data protection authorities. And there should be no need for
additional national authorisation in case of further transfers.

Though some DPAs have disagreed with
this approach, others have already started pushing for companies to start
preparing for these BCRs. Considering that the BCRs are likely to be broad
enough to apply to processors as well as data controllers, using BCRs for
inter-company as well as intra-company transfers may become a reality in the
near future.

Therefore, if they are simplified
and expanded to processors, 2012 may indeed be the year of the Binding
Corporate Rules. Instead of relying solely on Standard Contractual Clauses,
midsize companies can obtain authorization using one DPA for all of their
intra-company data flows. Furthermore, they may also be able to obtain BCR
authorization as safe processors. This should enable cloud service
providers to provide cloud services to other companies using their BCRs. Using
the older BCR system, companies were only able to obtain BCR authorization
applying to data for which they were the data controllers. With this new
system, BCRs for data processors should also be possible. As a result,
BCRs should become a true option for midsize companies and processors of all
kinds--and quite likely a favored option for cloud service providers.

You
may read about some of the BCRs that have already been approved by the EU DPAs
below. Note, however, that it is the underlying processes and policies that
support the BCRs that are difficult to prove and implement. Nevertheless, these
BCRs should prove useful in finding out what the DPAs are looking for in these
policies.

This web site provides general information about our firm for your convenience. This website and its content do not establish an attorney/client relationship between us. Information on the site is not legal advice.
Do not send confidential information to any of our lawyers without first obtaining our permission.